[MART] - Daily Diary #349 - Microsoft Warns, CVE-2021-40444 being exploited in the wild

CTAS-MAT ctas-mat at appgate.com
Thu Sep 16 20:13:49 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

09/16/2021 - Diary entry #349

CVE-2021-40444 was first discovered earlier this month, on September 7th, where researchers spotted weaponized Office documents being used in targeted e-mail campaigns. The vulnerability exploits a RCE vulnerability in MSHTML, a proprietary browser engine for Internet Explorer that is used in MS Office to render web content. To exploit that, attackers can craft an Office document with malicious ActiveX controls. At first, it was believed that attackers needed to convince their targets to disable the protected view by clicking "Enable Editing" after they open the document. However, it was already shown that RTF documents can exploit the vulnerability without triggering MS Office security measures.

This week Microsoft published in their blog details of a small campaign of targeted attacks, exploiting CVE-2021-40444 to deploy CobaltStrike Beacon. We covered in several of our Daily Diaries different malware families using Cobalt Strike beacon, including the threat actors behind the SolarWinds' incident.

Microsoft's September Patch Tuesday already includes fixes for CVE-2021-40444. As a remediation, companies can also disable ActiveX controls via Group Policy. We would like to take this opportunity to reinforce for everyone to not open e-mail attachments from unknown senders, and not disable security features in documents you didn't write. It's also a good practice to only open e-mail attachments in online Office365, as this limits the attack surface and attackers can't exploit those kinds of vulnerabilities.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210916/4e02b79d/attachment.htm>

More information about the MART mailing list